From ea194dbe56799dc3c38e042b9a04e96908464196 Mon Sep 17 00:00:00 2001
From: Mike McLean <mikem@redhat.com>
Date: Oct 02 2019 14:56:52 +0000
Subject: joinpath function


---

diff --git a/koji/util.py b/koji/util.py
index eaf7813..0bdb962 100644
--- a/koji/util.py
+++ b/koji/util.py
@@ -455,6 +455,22 @@ def relpath(*args, **kwargs):
     return os.path.relpath(*args, **kwargs)
 
 
+
+def joinpath(path, *paths):
+    """A wrapper around os.path.join that limits directory traversal"""
+
+    # note that the first path is left alone
+
+    newpaths = []
+    for _p in paths:
+        p = os.path.normpath(_p)
+        if p == '..' or p.startswith('../') or p.startswith('/'):
+            raise ValueError('Invalid path segment: %s' % _p)
+        newpaths.append(p)
+
+    return os.path.join(path, *newpaths)
+
+
 def eventFromOpts(session, opts):
     """Determine event id from standard cli options